Securing Intranets with IPCop

Phil Barnett and Bryan Smith

Simply put, your small-to-medium business intranet is only as strong as its weakest point. In-depth defense is the only adequate approach to security. One compromised system on an intranet is all it takes for trojans, such as key-loggers, to be planted and used to scalp passwords and access even more systems. An in-depth defense requires both host and network auditing and detection, in addition to basic host and network perimeter security. Because any security can be defeated, it is essential to be alerted when it has been. There is no greater business liability than an intranet that has become unknowingly compromised.

IPCop is an ideal, low-budget solution for intranets that require comprehensive network security. On the surface, IPCop is an integrated Web interface with a formidable assortment of security tools. Inside, IPCop is actually a scaled-down Linux distribution outfitted and optimized to serve as a firewall. IPCop consists of several core components:

1. Linux Netfilter -- Stateful packet inspection (firewall) with NAT/PAT and full logging capabilities

2. Snort -- The community standard for real-time network IDS

3. Squid -- The community standard for Internet proxy

4. FreeS/WAN IPSec support, including instant inter-office VPNs, as well as pass-through

5. Various LAN services, including internal DHCP, external Dynamic DNS registration, etc.

6. Web-based configuration and administration

7. Built in self-patching/updating capabilities

8. Backup and restore of IPCop configuration

The purpose of IPCop is to bring these critical security applications into a complete security solution with a convenient Web interface.

Stateful packet inspection makes IPCop practically an "install and forget" firewall from the standpoint of desktop compatibility for outgoing connections. Of course, allowing any outgoing connection is not recommended, as compromised systems can "phone home". Like any advanced, stateful firewall, IPCop can limit outgoing connections as well as incoming. Such configuration does increase support costs because legitimate outgoing access must be tested for and enabled. IPCop provides a place to store custom rules and include them in backup and restore mechanisms so they are not lost during upgrades.

Hardware

First and foremost, IPCop is a lightweight Linux distribution. As such, the driver selection is focused on communication hardware, and limited in other hardware (e.g., ATA/IDE drives). All major PCI and most ISA network interface cards (NICs) are supported, in addition to major ISA-UART, serial, and ACM-compliant USB modems. Some proprietary modems, typically software-based, are supported, but they are not recommended.

Be sure to check the current IPCop Hardware Compatibility List (HCL) before considering IPCop. As of this writing, the list was located at:

http://www.ipcop.org/cgi-bin/twiki/view/IPCop/IPCopHCLv01/

• A 386 with 16MB (more for Snort, and even more for Squid support)
• An ATA hard drive of at least 125MB + 2x RAM capacity (which will be completely wiped)
• At least two communication devices (e.g., a modem and a NIC, two NICs, etc.)

A suggested minimum for ease of installation includes using PCI-based motherboards and NICs so they are auto-detected and configured, 32-128MB (or more), and BIOS that supports booting from the CD-ROM drive. If you intend to turn on the Squid Proxy Cache, you will need additional memory and disk (256MB memory and 1GB disk recommended). Larger disk drives also allow logs to be stored longer.

IPCop 1.3.0 supports up to three communication devices, which it can segment into three subnets:

• LAN (GREEN) -- Always a NIC
• Internet (RED) -- Various devices with both dynamic and static IP support (including support for multiple, static addresses)
• DMZ (ORANGE) -- Optional, always a NIC

If your RED is via an Ethernet-connected broadband device, you will need a separate, dedicated NIC for each RED and GREEN. Most readers will recognize the necessity for this requirement, but at least one office I consulted as recently as 2001 was still connecting their RED and GREEN zones into the same Ethernet hub. Attempting to educate the "vendor-certified experts" on bypassing layer 3 controls (such as a packet filter) with direct, layer 2 access proved impossible.

Download

Most consumers will want to download the IPCop CD image and record it to CD-R. As of version 1.3.0, the CD image size is approximately 22MB and available from:

http://prdownloads.sourceforge.net/ipcop/ipcop-1.3.0.iso

IPCop supports three modes of installation:

• CD boot and install -- CD-ROM drive system, CD-bootable BIOS
• Floppy boot and CD install -- CD-ROM drive system
• Floppy boot and Web Server Install -- No CD-ROM drive, Web Server on network

The second two install options require the creation of floppy disks. Floppy disk images are in the CD's /images directory -- one boot and one driver disk. If you are running Windows, the rawrite.exe (and rawwritewin.exe) utilities are included in the CD's /dosutils directory for creating them. If you are selecting the last option, insert the CD-R on your Web server (or copy the files to a directory on the system), and assign an appropriate virtual directory under your Web server root.

Installation of IPCop is a two-part process. The first part, installation, is a text-based install (cursor), which puts the distribution on your IPCop system's hard drive. This part must be done from the local console (keyboard/monitor) of the IPCop hardware itself. You configure it by selecting elementary systems -- like drivers and network configuration -- and auto-configuration that needs to be done only once at install time. The second part, administration, is done via a Web browser on any system on your LAN and has exponentially more screens. I will briefly cover both.

Installation

Installation is covered in detail with dozens of screenshots in the IPCop Installation Manual. As of this article, the online 1.3.0 version was available at:

http://www.ipcop.org/1.3.0/en/install/html/

1. LILO (Linux Loader) prompt (pressing Enter is typically sufficient)

2. Selection of language

3. Installation approach (local CD-ROM or HTTP/Web server)

4. Wiping of your hard drive and installation of files

5. Selection of your NIC driver for LAN (GREEN)

6. Setup of the IP address/subnet mask for GREEN

7. Additional locale settings (keyboard, timezone)

8. Set system hostname

9. IDSN device configuration (if applicable)

10. Text menu-driven setup, including:

• Internet/RED (and optional DMZ/ORANGE) network configuration type
• Selection of additional NIC drivers
• Setup of additional IP address/subnet masks (or DHCP client assignment, in the case of RED)
• DNS and gateway settings (for the LAN DHCP server, if desired)

Again, GREEN is your intranet's private LAN. Enter the appropriate addressing information for your intranet. The physical NIC assigned to GREEN will match the NIC driver. (If you have more than one NIC that uses the same driver, GREEN will be the NIC in the lowest PCI slot number on your mainboard. If your GREEN NIC is ISA, and you have more than one that uses the same driver, it is not so clear. Multiple ISA card assignment will depend on the I/O address entered or detected (if PnP).) Assigning the correct address to the GREEN interface is the most important step, as it will allow you to access the IPCop box remotely.

The text menu-driven setup can be revisited at any time after installation, either directly on the console (keyboard/monitor), or remotely via SSH. For example, if you configured your Network Configuration Type to be "GREEN (RED is modem/ISDN" because you were on dial-up, but then switched to an ethernet-based broadband connection, you could log in as "setup" and switch to "GREEN + RED" to use two NICs. You can also change drivers and IP addresses from the "setup" logic.

Upon exiting the menu-driven setup on the initial install, you will be prompted to set three passwords:

1. root -- "Superuser" console/SSH login that should never be used (except to change root/setup passwords)

2. setup -- Text console/SSH login that launches the text menu-driven setup (to change NIC drivers, basic network settings)

3. admin -- Web-based login for changing various run-time settings, services, etc. (used for 99.99% of IPCop's administration)

After going through this procedure many times while installing IPCop on dozens of systems, these steps should take no longer than 10 minutes on systems that have bootable CD-ROMs and use PCI NICs. IPCop is easy to maintain and upgrade due to its backup and restore facilities, which can remove the need to configure after any rebuild or upgrade. In fact, IPCop's installer checks for the existence of such a backup disk in the floppy drive (even on a new install) to remove the need for any configuration prompts.

Your new IPCop box will reboot and you should able to continue with the second part -- administration.

Administration

Administration is detailed with dozens of screen shots in the IPCop Administrative Guide. As of this article, the online 1.3.0 version was available at:

http://www.ipcop.org/1.3.0/en/adminl/html/

• URL: https://my.ipcop.green.address:445 Note the use of HTTP-SSL (https://) and the non-default port for SSL (445/tcp, instead of 443/tcp).
• Username: admin
• Password: As set for user "admin" during the installation phase

IPCop's Web interface has several different screens, each with one or more tabs.

Home -- Shows the current status of the connection, plus connect and disconnect buttons (for non-persistent connections, like dial-up). This is the only page that will not prompt for "admin" credentials when viewed (although pressing connect/disconnect will prompt).

Information -- Shows a variety of system information, including services running, familiar Unix command output for disk, memory (and so forth) usage, traffic graphs, proxy graphs (if the service is enabled), and the state of real-time connections.

Dialup -- Configuration of dial-up parameters, such as username/password, for both non-persistent (analog modem, DSL) connections, as well as persistent connections negotiated by IPCop, not the modem (e.g., PPPoE over DSL).

Services -- Configuration of IPCop services, including Web proxy, DHCP (GREEN zone server), port forwarding (allow limited RED access into GREEN or ORANGE), external aliases (DNAT from RED to GREEN or ORANGE, must have static public IP(s) on RED), external service access (not recommended), DMZ pinholes (allow limited ORANGE access to GREEN), and dynamic DNS. Features that do not need to be enabled or require default configuration (default to disabled/unused).

VPNs -- Setup VPN connections to other IPSec systems/networks. IPSec implementation uses 3DES cipher and shared secret.

Logs -- For IPCop to be an effective SMB network security solution, these must be checked regularly. "Logs" includes other system and network logging facilities (e.g., PPP chat output, service start/stop, etc.), Web proxy, firewall logs (Linux kernel), and IDS events (real-time auditing and detection). The IDS events include hyperlinks to the public Snort database, giving detailed output on the detected threat or compromise. This tab should be visited several times throughout a day.

System -- Updates (fixes uploaded via the browser), time (including network time protocol, NTP, client/server), admin/dialup passwords, SSH access enable/disable, Snort IDS enable/disable, backup (downloaded to floppy, can be taken to other IPCop systems/versions) and reboot/shutdown.

Dial-up, ISDN, or broadband users where IPCop negotiates the PPPoE connection (instead of the modem itself) will need to configure the Dial-up page before their services will be available. Once that is completed, the "connect" button may be pressed on the Home screen to connect.

If the connection is persistent and negotiated by the modem or other WAN device, IPCop should work on the first boot. A second beep sequence should have been heard shortly after the first, indicating an Internet connection was established. All other services and features to be configured are optional.

Enabling Snort/IDS on the Systems page is highly recommended by default on Pentium class systems or better. Be sure to visit the Updates tab on the Systems page, and upload any fixes downloaded from the IPCop Web site. IPCop checks occasionally whether more updates are available and, if they are, notifies you on the home screen. Finally, check both Firewall and Snort logs several times a day.

Add-ons

As IPCop deployment has gained in popularity, a number of features have been suggested. Some of these features have been implemented as add-ons, although their integration with IPCop by the end-user may be more than trivial. A sample of some of the most popular add-ons follows (by category):

Filters -- DansGuardian and SquidGuard add Internet site-filtering capabilities to the Squid proxy service in IPCop. This is by far the most requested feature for SMB networks, for obvious legal considerations. Of course, savvy desktop users can reconfigure their browsers to bypass the IPCop proxy, which is why these filtering solutions should be combined with additional, outgoing firewall rules (from simple port 80/443 redirection to deny all outgoing packets by default). Other filters that target other services, such as peer-to-peer (P2P) clients, such as FastTrack p2p Blocker, also exist.

Logs -- Logcheck, DansGuardian LogViewer, and other log add-ons exist to help automate log extraction from IPCop's kernel, Snort, and other various services to another system for further analysis.

Zones -- Orange-as-Green is a mode that turns the DMZ/ORANGE zone into a second green, including Web proxy support, but closes traffic between the two. The best use of this is for wireless LAN (WLAN) networks that should be segmented from wired LANs.

IPCop 1.4 may be released by the time this article is published. It will include a new "BLUE" zone as standard for wireless that is segmented from "GREEN" (removing the need for the current add-on and freeing up the "ORANGE" DMZ zone). It will also include software that will take advantage of Linux 2.4's traffic-shaping functionality, giving priority access to various services and nodes. Snort will now log on all zones, and the interface will offer more extensive logging capabilities.

More information on IPCop add-ons can be found at:

http://firewalladdons.sourceforge.net/index.html

http://www.dageek.co.uk/ipcop/addonz/

To guarantee in-depth defense, both network and host security solutions need to be implemented in any organization. While many SMB intranets implement adequate host security, most lack even basic network IDS capability, which is a security necessity. IP has capabilities far beyond a simple deny-all firewall.

IPCop is a more comprehensive network security solution for SMB intranets with stateful packet inspection, real-time network logging, auditing, and accompanying network intrusion detection. It also includes SMB-desirable features like site-to-site/remote-to-site VPN and Internet proxy services (with filtering add-ons available) at no additional cost. It can be quickly installed as an effective solution, instantly offering greater awareness of threats to, and possible compromises of, your SMB intranet. How appropriate that IPCop's motto is "The Bad Packets Stop Here!".

Phil Barnett is a Senior Programmer Analyst at a Fortune 100 company and has been associated with the IPCop project since its inception. He has been working primarily with security-related projects in the corporate world for the past nine years.

Bryan J. Smith holds a BSCpE from UCF, currently 28 (and counting) IT/vendor certifications, and more than 12 years of combined IT/engineering experience (securing corporate networks for as many years). Both authors would like to thank the IPCop developers for their donation of thousands of hours of love and labor in making IPCop the best product it can be!